Trustwave Managed Security TestingIdentify Vulnerabilities Before an Attacker Does

DON'T GUESS. TEST.

Trustwave Managed Security Testing reveals your vulnerabilities and alerts you to the consequences of exploitation. Data security teams need to know what they’re protecting and what they’re protecting it from to make good risk management decisions and technology investments. Security testing helps businesses identify their network-connected assets, learn how those assets are vulnerable to attack, and understand what could happen if those assets were compromised.

Businesses use Trustwave Managed Security Testing as a single platform for all of their managed vulnerability assessment, database security testing, network penetration testing, and application penetration testing needs.

WHAT IS PENETRATION TESTING OR "ETHICAL HACKING"?

A penetration test or "ethical hack" evaluates an application's or network's ability to withstand attack. During a penetration test, you authorize an expert (or "ethical hacker") armed with the same techniques as today's cybercriminals to hack into your network or application. Such an exercise will open your eyes to vulnerabilities you didn't know existed and the effects of exploitation.

HOW DOES PEN TESTING DIFFER FROM VULNERABILITY SCANNING?

Vulnerability scanning evaluates a system for potential vulnerabilities or weak configurations, is largely automated and can only ever find a subset of security issues. Penetration testing, on the other hand, is a manual process performed by a human. A penetration tester will use tools as a part of their work, but they apply their human ingenuity to exploit vulnerabilities and illustrate what an attacker might be capable of when targeting a particular system.

Overview:

The right security test at the right time through one vendor without the hassle.

Managed Security Testing from Trustwave SpiderLabs® allows IT and information security teams to take a programmatic approach to vulnerability management through managed vulnerability scanning across databases, networks and applications, as well as, in-depth manual penetration testing of networks and applications.

Now more than ever, businesses realize the need for pro-active security testing, and budgets are increasing as a result. Still, planning for and procuring security testing presents a number of challenges:

Anticipating future testing needs

Conducting testing in a timely manner

Making testing an efficient, business-as-usual initiative rather than an obstacle

Getting high quality testing across multiple asset types

Standardizing repeatable testing/reporting across asset types

Fulfilling compliance requirements

Effectively managing multiple tests, and re-testing, over the course of the year

Managed Security Testing menu of services

Managed Scanning

Penetration Testing

Databases

Compliance Scanning
Best Practices Scanning

As discovered in penetration testing

Networks

Best Practices Scanning

Internal Network

Basic

Opportunistic

Targeted

Advanced includes password analysis

External Network

Basic

Opportunistic

Targeted includes limited phishing exercise

Advanced includes social engineering exercise

Applications

Compliance Scanning
Best Practices Scanning

Basic

Opportunistic

Targeted

Advanced

Four levels of testing

Trustwave SpiderLabs designed four levels of penetration testing to align with four levels of threats to your network. Depending on your budget and the business-value you assign to the assets you intend to test, you will choose one of the following levels of testing for applications or internal or external networks:

Basic Threat

Simulates the most common attacks executed in the wild today. This class of attacker typically uses freely-available, automated attack tools.

Opportunistic Threat

Builds upon the basic threat and simulates an opportunistic attack executed by a skilled attacker that does not spend an extensive amount of time executing highly sophisticated attacks. This type of attacker seeks easy targets (”low-hanging fruit”) and will use a mix of automated tools and manual exploitation to penetrate their targets.

Targeted Threat

Simulates a targeted attack executed by a skilled, patient attacker that has targeted a specific organization. This class of attacker will expend significant resources and effort trying to compromise an organization's systems.

Advanced Threat

Simulates an advanced attack executed by a highly motivated, well-funded and extremely sophisticated attacker who will exhaust all options for compromise before relenting.

Benefits:

Keep pace with business demands
Data security leaders know that if security is an obstacle, the business will find ways around it. Trustwave's 2014 Security Pressures Report states that four out of five IT professionals report being pressured to roll out IT projects despite security concerns. Adapt quickly to change and keep up with business demands without leaving security considerations behind. Managed Security Testing's flex-spend model allows you to earmark budget for testing, and then consume testing funds at a moment's notice.

Make budget planning easier and operationalize testing costs
Many IT security professionals know that they will need security testing throughout the year, but not exactly how much. Managed Security Testing's pre-scoped scans and tests, cost transparency and flex-spend consumption model make planning easier and more precise. You define your security budget and then allocate it as you see fit. With quarterly payments, penetration testing becomes a predictable operating expense that can be built into your budgets.

Get testing right when you need it, minus the hassle
Avoid lengthy negotiations and contracts held up in legal with Managed Security Testing's flex-spend model. Enroll a target in testing in minutes and schedule a test with just two weeks' lead time in fewer than five clicks.

Re-test and validate fixes at no extra cost
Maintenance tests included with any penetration test will re-evaluate findings, wherever possible, to provide evidence of remediation and mitigation actions and support fulfillment of compliance requirements.

Standardize scalable, repeatable scanning and testing
You'll know exactly what to expect from Managed Security Testing across your databases, networks and applications with clear pricing and pre-defined scoping. Consolidate management and reporting with a single pain of glass, rather than juggling multiple inconsistent report formats and tracking spreadsheets.

Establish or maintain compliance
Standards, such as the PCI DSS, require vulnerability scanning and penetration testing of in-scope network environments and applications. Managed Security Testing helps fulfill PCI DSS requirements, such as 6.6 and 11.3, and provides ongoing evaluation of the security of your networks or applications to support HIPAA, Sarbanes-Oxley (SOX), FISMA and GLBA/FFIEC compliance efforts.

How It Works:

You identify your testing budget and allocate it as you see fit. Your account balance depletes with each database, network or application you enroll, and you can refill your account at any time.

An initial balance is credited to your account

You enroll a database, network or application target and choose the level of testing

Your account balance is debited according to predefined pricing

You schedule your tests for the enrolled network or application

A SpiderLabs expert conducts the test

Dynamic reporting is made available in the portal

You view and manage reporting within the portal

If desired, you then schedule maintenance testing to re-evaluate findings where possible